2023 Annual Audit and Exam Issues: Insights from NETBankAudit

In the ever-evolving landscape of financial services, staying ahead of regulatory expectations and industry best practices is crucial. As a leader in IT auditing and risk management for financial institutions, NETBankAudit is pleased to share our insights from the 2023 audit season. Our analysis, based on over 250 financial institutions, provides a comprehensive view of the most pressing IT and compliance issues facing the industry today.

Download NETBankAudits 2023 Annual Audit and Exam Issues in PDF format.

2023 Top Regulatory Issues for Financial Institutions

NETBankAudit Examination and Audit Volume

In 2023, NETBankAudit conducted over 265 audit engagements with over 95% including some form of internal and external vulnerability assessment and testing:

• 265 audit engagements
  • 80% IT/operations related
  • 13% BSA Compliance and BSA MIS
  • 7% Compliance/Internal Audit
• 793 standalone technical testing engagements including:
  • Internal and external network penetration testing
  • System and process assessments  
  • Social engineering testing

Top 5 Financial Institution Regulatory Exam Issues of 2023

Based on our survey of approximately 250 financial institutions, the top five reported exam issues were:

Cybersecurity (19% overall)

• NCUA and OCC were the leading bodies raising this issue
• FDIC and FRB also showed significant concern

IT Governance (16% overall)

• FDIC was the primary driver of this issue
• FRB and State regulators also frequently cited IT Governance concerns

Business Continuity (10% overall)

• FDIC led in raising this issue
• NCUA and FRB also showed significant interest in this area

Incident Response (10% overall)

• FRB and NCUA were the primary regulators focusing on this issue
• FDIC and OCC also consistently raised Incident Response concerns

User Access (8% overall)

• This issue was fairly evenly distributed among the regulatory bodies
• FDIC, FRB, and NCUA slightly more likely to raise User Access concerns

These findings highlight the continued focus of regulators on institutions' ability to protect against and respond to cyber threats, as well as the importance of strong IT governance frameworks.

2023 Exam Issue Distribution by Regulatory Body  

Our analysis reveals interesting patterns in how different regulatory bodies are addressing these issues:

• FDIC (Federal Deposit Insurance Corporation): Accounted for 104 out of 358 (29%) of reported issues, making it the most active regulatory body in our survey. The FDIC showed particular concern with IT Governance and Business Continuity issues.
• FRB (Federal Reserve Board): Responsible for 69 out of 358 (19%) of reported issues. The FRB's focus was evenly distributed across Cybersecurity, IT Governance, and Incident Response.
• OCC (Office of the Comptroller of the Currency): Also contributed to 66 out of 358 (18%) of reported issues. The OCC placed a strong emphasis on Cybersecurity, accounting for a significant portion of their reported issues.
• NCUA (National Credit Union Administration): Generated 68 out of 358 (19%) of reported issues. The NCUA showed a particular focus on Cybersecurity and Business Continuity issues.
• State Regulators: Accounted for 32 out of 358 (9%) of reported issues, with a balanced focus across various areas.
• DIFS (Department of Insurance and Financial Services): Contributed to 19 out of 358 (5%) of reported issues, with a particular emphasis on IT Governance and Incident Response.

NETBankAudit's Top Identified IT Audit Control Evaluation Issues

NETBankAudit's COBIT-Based Audit Methodology

NETBankAudit employs a risk-based IT audit methodology founded on the latest version of COBIT, published by the Information Systems Audit and Control Association. This framework is widely recognized in the industry and aligns well with FFIEC IT Audit guidelines, including URSIT (Uniform Rating System for Information Technology).

Our COBIT-based approach involves:

1. Evaluating 22 control objectives across four main areas:
   • IT Governance
   • IT Management
   • IT Operations
   • IT Security

2. Using COBIT's audit framework and maturity model to determine appropriate tests for each control area.
3. Providing overall and component control objective ratings, supported by detailed documentation in our formal reports and work programs.

This methodology ensures a thorough, standardized approach to IT auditing that addresses both regulatory requirements and operational best practices. The table below outlines the identified issue prevalence.

2023 Distribution of Overall IT Audit Ratings

As part of our comprehensive IT audit process, NETBankAudit assigns overall ratings to each institution, providing a snapshot of their IT risk management maturity and effectiveness.

The overall distribution of IT Audit ratings for 2023 was as follows:

• Strong: <1%
• Satisfactory: 47%
• Satisfactory with Recommendations: 42%
• Needs Improvement: 10%
• Unsatisfactory: <1%

These ratings demonstrate that while many institutions are meeting basic expectations, there's significant room for improvement across the industry.

Top IT Audit Issues for Financial Institutions Identified in 2023

Based on our COBIT-aligned audits of approximately 250 financial institutions, our top identified audit issues were:

1. Network Security (18%): This includes evaluations of internal and external network vulnerabilities, firewall configurations, and overall network architecture security.
2. Hardware & Software Controls (13%): Encompassing proper management of IT assets, including inventory, lifecycle management, and security configurations.
3. Change Management & Problem Management (9%): Focusing on processes for implementing changes to IT systems and addressing IT-related issues effectively.
4. User Access Controls (8%): Evaluating the processes and technologies used to manage user access to systems and data, including authentication and authorization mechanisms.
5. Business Continuity Management (7%): Assessing the institution's ability to maintain critical operations during and after a disruptive event.

This data underscores the importance of a comprehensive approach to IT risk management, addressing both regulatory expectations and practical operational risks. Our COBIT-based methodology allows us to provide a holistic view of an institution's IT control environment, often identifying areas for improvement that may not be the primary focus of regulatory exams but are nonetheless crucial for effective IT governance and risk management.

Implications for Financial Institutions

Based on our comprehensive analysis of regulatory exam issues and our own audit findings, we've identified key action items for financial institutions looking to enhance their IT risk management practices. These findings suggest that financial institutions should:

1. Prioritize network security measures, including regular vulnerability assessments and penetration testing.
2. Implement robust hardware and software management processes, including comprehensive inventories and security configurations.
3. Develop and maintain effective change management and problem management procedures.
4. Regularly review and enhance user access controls.
5. Ensure business continuity plans are comprehensive, up-to-date, and regularly tested.

By addressing these areas, institutions can not only meet regulatory expectations but also improve their overall IT governance and risk management posture.

Hot Topics and Emerging Trends

As part of our commitment to providing value-added insights, NETBankAudit continuously monitors the evolving landscape of IT risk in the financial sector. Our analysis, informed by our extensive audit experience and ongoing engagement with regulatory developments, has identified several key areas of focus for financial institutions in the coming year. These hot topics reflect both persistent challenges and emerging risks that institutions must address to maintain robust IT governance and security postures.

1. Patch Management: Addressing end-of-life software and extended service plans.
2. Fraud Detection: Particularly in ACH/Wire and Internet Banking.
3. Cybersecurity:
   • Ransomware assessment
   • Social engineering (emails, texts, attachments)
   • Cyber insurance coverage and requirements

4. Business Continuity: Focusing on contingent systems and processes.
5. Data Assurance: Ensuring comprehensive backups and addressing employee errors.
6. Incident Response: Developing and testing robust response plans.
7. Vendor Management: Clearly defining responsibilities between the institution and vendors.
8. AI: Addressing fraud concerns in areas like wire transfers and call-backs.

How NETBankAudit Can Help with IT Audits and Risk Assessments

As a specialized firm serving over 800 financial institutions across 38 states, NETBankAudit is uniquely positioned to help your institution navigate these challenges. Our comprehensive services include:

• Risk-based IT General Controls Auditing
• Internal and External Vulnerability Assessments
• Penetration Testing
• Social Engineering Testing
• Specialized Transactional Audits (Digital Banking, Wire Transfer, RDC, ACH)
• Value-Add Management Consulting

Our team of certified, senior-level auditors brings a wealth of experience in IT engineering, regulatory compliance, and financial services operations. We're committed to delivering high-quality, risk-based audits that not only meet regulatory requirements but also provide actionable insights to improve your institution's overall security posture and operational efficiency.

Don't let IT risks and compliance gaps hold your institution back. Contact NETBankAudit today to learn how we can help strengthen your IT risk management program and secure your institution's digital future.